coffee with carol - what's new in ibm i security in v7r3 and v7r2

6/8/2016

helpsystems.com/professional-security-services 1

© HelpSystems 1

What’s New in IBM i Security

in V7R2 and V7R3

Carol WoodburyVP of Global Security

Services

Scott ForstieBusiness Architect

DB2 for IBM i

HelpSystems LLC. All rights reserved.

• *PTFOBJ – Changes to PTF objects during PTF operations

• *PTFOPR – PTF operations – such as load, apply or removal of a PTF

New QAUDLVL values in V7R2

6/8/2016



• AD—Auditing value changes

• AU—Attribute changes

• CA—Authority changes

• CP—User profile changes (Note: only the previous special authority values have been added)

• DI—Directory server

• GR—Generic record (added changes to the function usage (Application Administration) settings)

• PA—Program adopt

• PG—Primary group changes

• RA—Restore object authority changes (added the name of the authorization list)

• RJ—Restore job description (added name that had been specified in the job description)

• RO—Ownership changes for restored objects

• RZ—Primary group changes for restored objects

“Before” values added to these audit entries


• TLS version 1.1 (TLSv1.1) and 1.2(TLSv1.2) are now available by default

• Online Certificate Status Protocol (OCSP) is now supported. This is a method for

determining when a digital certificate has been revoked

• DCM now supports the ability to assign multiple certificates to a server

– Up to 4 in V7R3

• Services using the AES and SHA-2 algorithms such as the crypto services APIs, software

tape encryption and system-supplied SSL and VPN connections will see a performance gain

on POWER8 hardware.

Other enhancements

6/8/2016



• *MAXLENnnn

• *MINLENnnn

• *MIXCASEnnn

• *REQANY3

• *SPCCHRLMTAJC

• *SPCCHRLMTFST

• *SPCCHRLMTLST

• *SPCCHRMAXn

• *SPCCHRMINn

V7R2• *ALLCRTCHG

– password rules apply even when running CRT/CHGUSRPRF

QPWDRULES- V6R1

*PWDSYSVAL or

• *CHRLMTAJC

• *CHRLMTREP

• *DGTLMTAJC

• *DGTLMTFST

• *DGTLMTLST

• *DGTMAXn

• *DGTMINn

• *LMTSAMPOS

• *LMTPRFNAME

• *LTRLMTAJC

• *LTRLMTFST

• *LTRLMTLST

• *LTRMAXn

• *LTRMINn

UP NEXT...

V7R3

6/8/2016



•CP – contains all user profile attributes except TEXT and AUT (*PUBLIC authority) for both

create and changes to a user profile

•QAUDLVL

–*NETSECURE (to audit secure network connections)

–*NETTELSVR (to audit telnet connections)

–*NETUDP (to audit UDP connections)

–*NETSCK is no longer considered a subset of *NETCMN

V7R3 auditing enhancements


• By user, collects the objects (programs, files, etc) that are accessed along with:

– Current authority

– Source of the authority

– Specific authority required by the Operating System

Authority Collection

6/8/2016



Start Authority Collection (STRAUTCOL)


Querying the collection

6/8/2016



• Run a query before rolling out a new security implementation to your entire user base and ensure your

test users have all the authority required to run the application and that it’s coming from the source you

intended.

• Determine which application objects (especially *FILE objects) can have their authority immediately set

to a more restricted authority setting, without fear that the application will stop working.

• Determine the exact authority required to work with IFS objects prior to implementing a new FTP

process or ODBC connection on production.

• Determine the authority required for service accounts to work with database files. Simply turn on the

authority collection for the service account, examine the entries, and determine the authority required.

Undoubtedly it will not require *ALLOBJ!

• Use the authority-required fields to prove to developers and application providers that *ALL authority is

not required

Ways to use the Authority Collection


• You must have either *ALLOBJ special authority or be authorized to the Database

Security Administrator function (QIBM_DB_SECADM) to start the collection. You can

administer this function via Application Administration (which is available as part of

Navigator for i) or the Work with Function Usage (WRKFCNUSG) command.

• Limit User Function (Application Administration) settings are not recorded.

• For those features where authority to an object plus some special authority is required,

the special authority requirement is not recorded.

• To display whether a collection is active and/or an authority collection repository exists

for a user, run the DSPUSRPRF (Display User Profile) command and scroll to the end of

the display.

• While a user’s collection setting is saved when running the SAVSECDTA (Save Security

Data) command, the actual collection data is not.

• If an authority collection exists and the profile is deleted, its authority collection is also

deleted.

• If you specify to collect authority for all objects in all libraries, some objects, such as

operating system programs are omitted from the collection; however, objects, such as

IBM-supplied commands will be included in the collection data

• See Chapter 10 of the IBM i Security Reference manual for more details.

Authority Collection – more considerations

6/8/2016



• IBM i Security Administration and Compliance, 2nd edition

– www.mc-store.com/5129.html

• Technical updates

– www.ibm.com/developerworks/ibmi/techupdates

• IBM i Information Center

– http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i/welcome

• Security Reference manual

– Chapter 9 – Auditing

– Chapter 10 – Authority Collection

For more information

© HelpSystems 14

Questions?

www.helpsystems.com

www.helpsystems.com/professional-security-services

800-328-1000 | [email protected]

http://www.mc-store.com/5129.html

http://www.ibm.com/developerworks/ibmi/techupdates

http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i/welcome

http://www.helpsystems.com/

http://www.helpsystems.com/professional-security-services

coffee with carol - what's new in ibm i security in v7r3 and v7r2

Software